exploit the possibilities

EMC Documentum Web Development Kit XSS / CSRF / Redirection / Injection

EMC Documentum Web Development Kit XSS / CSRF / Redirection / Injection
Posted Jan 6, 2015
Site emc.com

Documentum Web Development Kit (WDK) and WDK-based clients contain cross site scripting, cross site request forgery, URL redirection, insufficient randomness, and frame injection vulnerabilities.

tags | advisory, web, vulnerability, xss, csrf
advisories | CVE-2014-4635, CVE-2014-4636, CVE-2014-4637, CVE-2014-4638, CVE-2014-4639
SHA-256 | 5723d492c782836a6ea35341d64a0bc9cd8f7b71e77c2cdeae6a36557bb3eb80

EMC Documentum Web Development Kit XSS / CSRF / Redirection / Injection

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ESA-2014-180: EMC Documentum Web Development Kit Multiple Vulnerabilities

EMC Identifier: ESA-2014-180

CVE Identifier: CVE-2014-4635, CVE-2014-4636, CVE-2014-4637, CVE-2014-4638, CVE-2014-4639

Severity Rating: See below for individual scores for each CVE

Affected Products:

All EMC Documentum Web Development Kit (WDK) based clients bundled with version 6.7 SP2 and earlier:

EMC WebTop 6.7 SP2 and earlier
EMC Documentum Administrator 7.1 and earlier
EMC Records Client 6.7 SP2 and earlier
EMC Digital Assets Manager 6.5 SP6 and earlier
EMC Web Publishers 6.5 SP7 and earlier
EMC Task Space 6.7 SP2 and earlier
EMC Engineering Plant Facilities Management Solution for Documentum 1.7 SP1 and earlier
EMC Capital Projects 1.9 and earlier

Summary:

EMC Documentum Web Development Kit (WDK) and WDK-based clients contain multiple vulnerabilities that could potentially be exploited by attackers to target the affected systems.

Details:

The vulnerabilities addressed in Documentum WDK 6.8 are:

1. Cross-Site Scripting (CVE-2014-4635)
EMC Documentum WDK and WDK based clients may be affected by multiple cross-site scripting vulnerabilities that could potentially be exploited by an attacker to inject malicious HTML or scripts. This may lead to execution of malicious code in the context of the authenticated user.
CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

2. Cross-Site Request Forgery (CVE-2014-4636)
EMC Documentum WDK and WDK based clients may be affected by a cross-site request forgery vulnerability. An attacker can potentially exploit this vulnerability to trick authenticated users of the application to click on specially crafted links that are embedded within an email, web page, or other source and perform Docbase operations with that user's privileges.
CVSSv2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

3. URL Redirection (CVE-2014-4637)
EMC Documentum WDK and WDK based clients may be affected by a URL redirection vulnerability that may allow attackers to redirect users to arbitrary web sites and conduct phishing attacks. The attacker can specify the location of the arbitrary site in the un-validated parameter of a crafted URL. If this URL is accessed, the browser is redirected to the arbitrary site specified in the parameter.
CVSSv2 Base Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

4. Frame Injection (CVE-2014-4638)
EMC Documentum WDK and WDK based clients may be affected by a frame injection vulnerability. An attacker can potentially exploit this vulnerability to induce a user to navigate to a web page the attacker controls; the attacker's page loads a third-party page in an HTML frame. This could result in the attacker stealing sensitive information.
CVSSv2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

5. Parameter Generated with Insufficient Randomness (CVE-2014-4639)
EMC Documentum WDK and WDK based clients use a parameter that is being generated with insufficient randomness to reference Webtop components. An attacker can potentially exploit this vulnerability by predicting the parameter, helping the attacker to launch phishing attacks.
CVSSv2 Base Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Resolution:

EMC Documentum Webtop Version 6.8 contains the resolution to these issues:

This advisory will be updated as EMC certifies other WDK-based clients which bundle WDK 6.8.

Link To Remedies:

Registered EMC Online Support customers can download software for their respective products by navigating to the link below:

EMC Documentum Webtop Versions 6.8 https://emc.subscribenet.com/control/dctm/product?child_plneID=685111

EMC Product Security Response Center
security_alert@emc.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)

iEYEARECAAYFAlSqxTAACgkQtjd2rKp+ALxcNwCeN5QZ8DzN12zhb23k+CPNhnz8
WsMAniIFTTk1FOd+IdkI9A+pdsn/O8r9
=+D8V
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    6 Files
  • 24
    May 24th
    19 Files
  • 25
    May 25th
    5 Files
  • 26
    May 26th
    12 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close